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Abstract 

Various mechanisms for authenticating users of computer-based information 
systems have been proposed. These include traditional, user-selected passwords, 
system-generated passwords, passphrases, cognitive passwords and associative passwords. 
While the mechanisms employed in primary passwords are determined by the operating 
systems’ manufacturers, system designers can select any password mechanism for 
secondary passwords, to further protect sensitive applications and data files. 

This paper reports on the results of an empirically based study of passwords 
characteristics. It provides a comparative evaluation on the memorability and users’ 
subjective preferences of the various passwords mechanisms, and suggest that cognitive 
passwords and associative passwords seem the most appropriate for secondary passwords. 

CR Catcttorics and Subject Descriptors : 

D.4.6 [Security and Protection]: access control; authentication. 

General Terms : Passwords. 

Additional Kewords : Primary passwords. Secondary passwords, Passphrases, 



Associative passwords. Cognitive passwords. 
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1. Introduction 

Access control based on verification of a person’s identity is a commonly used 
method in computer installations. The most popular method is to provide authorized 
users with passwords, which serve as the "key" for authorized use of a computer systems 
and try to make unauthorized access virtually impossible [2, 5, 8, 9, 10, 12, 13, 15, 

17, 19]. 

Commonly, passwords are used as a sole authentication mechanism to a 
computer-based information system, controlling access to an entire set of computing 
resources through the operating system [1, 15]. These passwords are referred in the 
literature as primary passwords. However, passwords can also be used to further control 
access to segments of these resources [13]. These are called secondary passwords and 
are used with particular resources such as specific applications or data files. Figure 1 
presents a multilevel security environment, where primary passwords are used to limit 
the accessibility of the operating system and secondary passwords are used as an 
additional security mechanism to further protect sensitive applications and data files. 



Insert Figure 1 about here 



The format of primary passwords is determined by the operating systems’ 
manufacturers and the use of traditional, user-selected, passwords is common to most of 
them. However, their use at lower levels of a security system is not mandatory and it is 
possible to incorporate alternative password mechanisms as secondary passwords at the 
application level. 

A partial list of methods includes system-generated passwords [13], passphrases 
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[16], cognitive passwords [6, 25], and associative passwords [17]. However, no 
comparative evaluation or analysis of user preferences have yet been reported. This 
research is based on empirical data and aims at evaluating the characteristics of the 
various authentication techniques. 

2. Traditional Passwords 

Traditional passwords are the most commonly used authentication method in 
existing operating systems [7, 8, 13, 15]. With this mechanism, a new user is introduced 
to the system by a given user-id and instructed to select a password to be known only to 
him. This user-id and password pair serves for user authentication and authorizing use of 
a computer system while trying to block unauthorized access to the computing resources. 

Despite their widespread use, passwords are known to suffer from several pitfalls. 
First, the tradeoff between memorability and safety poses a dilemma in the generation 
of passwords. Passwords should be difficult to guess and easy to remember [11, 15, 16]. 
For passwords to be difficult to guess, they should be selected from a large domain. 
Nevertheless, if passwords are chosen to make them difficult to guess, they may also be 
difficult to remember. The most secure type of password is a random string of 
characters [3, 16, 20]. Although such passwords are difficult to guess by others, users 
generally dislike them because random, arbitrary passwords are difficult to remember. 
Instead, most users will resort to meaningful details, such as name, nickname, initials, 
birthdate, and so on [3, 13]. 

A password that is difficult to remember compels a user to write it down, 
ensuring they will not forget them but compromising its secrecy [14]. On the other 
hand, if a difficult password is not written down, it may well be forgotten, resulting in 
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serious inconvenience [2, 16]. Therefore, an organization should establish a password 
policy that strikes a balance between ease of remembrance and susceptibility to 
compromise [20]. 

3. Alternative Password Techniques 

3.1 System-Generated Passwords 

With a system-generated password, a password is automatically generated by the 
operating system and assigned to a user. A common practice in this method is that a 
pseudo-random number generator arbitrarily creates a string of alphanumeric characters 
as the password [3, 4, 13]. 

The basic characteristics of system-generated passwords make them more difficult 
to guess than traditional passwords [14]. However, being composed of a random 
sequence of alphanumeric characters, these passwords are usually more difficult to 
remember since there is no meaningful relation to the user [13]. As a result, the high 
degree of complexity may cause the user to write down or even forget the password, thus 
failing to provide secure access control [18]. Also, this method may result in friction 
between the user and the administrator’s need to meet security requirements. 

3.2 Passphrascs 

A variation of the traditional password system is an extended password, known as 
a passphrase. A passphrase consists of a meaningful sequence of words, e.g. "to be or 
not to be". Because it becomes more difficult to guess or find out a password as its 
length increases, a passphrase is designed to form a compromise between ease of 
memorability and difficulty in figuring out. The longer, extended password of 30 to 80 
characters becomes difficult to guess [16]. Unlike system-generated passwords, the 
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passphrase is generated by a user, allowing a selection of a meaningful sequence of 
words for ease of memorability. In the passphrase method the sheer length of the 
passphrase provides the desired security, so having the passphrase unrelated to the user 
is not as stringent a requirement. The following example shows how length thw'arts a 
possible intruder. If a user were to use a minimum of 30 alphabetic characters, over 
1,000,000,000,000 possible combinations exist. This definitely makes the brute force 
attempt of trying all possible character combinations a formidable obstacle to an 
intruder [15]. 

3.3 Cognitive Passwords 

Another alternative to the traditional password system is a the cognitive 
passwords mechanism. This method is based on a question-and-answer mode, where, 
instead of a user entering just one password, he is required to enter several passwords, 
one at a time, when prompted by the computer. Cognitive passwords are based on an 
individual user’s perceptions, personal interests and personal history. This information is 
unique to the individual and is neither commonly associated with the user by others, nor 
could it easily be found in personal records [21]. Examples of questions for cognitive 
items include: "What is the first name of your favorite uncle", "what is the name of the 
elementary school from which you graduated", "What is your favorite type of music" or 
what is your favorite color". 

In order to make the cognitive password mechanism effective, the system should 
consist of non-trivial questions as the stimulus for user responses. If trivial questions, 
such as "What is your name?", are chosen, then an intruder will more easily break into 
the system than if, for example, "What was the name of your first girlfriend/boyfriend?" 



is used. 
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A cognitive password system combines both system-generated and user-defined 
characteristics. It is system-generated in the sense that the system creates the questions 
to stimulate a response from a user. The exact responses to these questions would 
entirely be user-determined. As such, the password system is set up basically as an 
access quiz. If the user responds correctly to a series of questions concerning himself, 
then he would be authorized access to the system [6]. 

Every new user is assigned with a user-id by the system administrator and asked 
to create his or her a user profile by answering a set of 20 cognitive items [6]. In a 
typical session, a user desiring access enters his or her assigned user-ID. Having passed 
the user-ID validity test, a user is presented with five randomly selected questions from 
the same set that was user to create the profile. Tlie questions are presented 
sequentially, one at a time. Upon gathering all five answers, they are compared against 
the stored cognitive data in the user’s profile database, using the evaluation mechanism. 
If correct, access is granted. If one or more answers do not match, a user might be 
given a second chance but presenting another set of five questions to be answered. 

Like the other password methods described, responses to these questions need to 
be entered exactly for a user to gain access. Because the responses vary in length, 
cognitive passwords have no preset length associated with them. They also would be 
meaningful items, as opposed to a random string of alphanumeric characters. 

Since cognitive passwords consist of meaningful details, they are likely to be easy 
for a user to remember, but difficult for an intruder to guess or find out. Cognitive 
passwords may be of such length that a brute force method of trying all character 
combinations would be thwarted. Also, a cognitive password system requires several 
questions to be answered correctly, adding further security to the system. 
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On the other hand, there are some disadvantages in the use of cognitive 
passwords. In a traditional password system it is difficult for a user to remember one 
password, therefore remembering many cognitive passwords would seem to be harder for 
the user [17]. Also, it is unlikely that a user would remember all of his responses so 
establishing an acceptable miss percentage may be difficult to do. If set too low, 
intruders may penetrate the system; if set too high, authorized users may be denied 
access. 

3.4 Associative Passwords 

Another password mechanism requiring a series of passwords to verify user 
identity is associative passwords [17]. In this alternative, the user constructs a list of 
cues and responses that would be unique to the individual. A trivial e.xample would be 
the cue w'ord "high" which would require the response "low". Smith [17] designed this 
model with the thought that an initial list of 20 cues and responses per user would be 
sufficient to allow flexibility in changing the cues presented to the user when logging in 
to the system. Depending upon the security of the system, a user would be required to 
give from one to several correct responses. 

The actual structure is based on a single-word cue and a one-word response. 
Doing so allows for ease of memory for the user. Similarly, the user is responsible for 
constructing all 20 cues and responses making it user-friendly [17]. 

In order to make this method a stronger impediment to intrusion, the word 
associations should be non-trivial. For example, a list of 20 opposites (e.g. "good" and 
bad", "yes" and "no", "black" and "white") would be easy to penetrate [17]. To make 
construction of the list easier and to make it easier for the user to remember the 
responses, it is helpful for a particular user to choose one central theme [17]. For 
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instance, a user may associative passwords profile around the Beatles. In this case, cues 
may include "abbey", "John", "yellow" and "george" and have responses of "road", 
"Lennon", "submarine" and "Harrison", respectively. 

Finally, a user is expected to generate correct responses to gain access to the 
system. As with cognitive passwords, every new user is assigned with a user-id and 
asked to create 20 word associations which compose his or her a user profile. Then, a 
user desiring access enters his or her assigned user-id which is matched against his or 
her profile. Having passed the user-id validity test, a user is presented with five 
randomly selected cues from the a set of 20 word associations in his or her profile. The 
cues are presented one at a time and responded by the matching word association. 

Upon gathering all five responses, they are compared against the stored user’s profile 
database. If correct, access is granted. If one or more answers do not match, a user 
might be given a second chance and another set of five cues is randomly selected from 
the database. 

Smith postulated several advantages to this method; 

1. The responses would be easy to remember. 

2. Without knowledge of the theme and non-trivial associations, the responses would 
be resistant to intrusion. 

3. Since the cues and responses are selected by the user, there would be little user 
resistance to such a method. 

4. The cues and responses would uniquely identify each individual user. 

5. If a need arises to change a cue and response, it could easily be altered without 
altering or compromising the rest of the list. [17] 

On the other hand. If a user is not careful in constructing the word associations, 
the responses may be easily guessed. Also, a user may be tempted to write down the 
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cues and responses or the central theme since there would be so many responses to 
remember. This would lead to compromise. Finally, like cognitive passwords, a user 
would likely not remember all the responses so an acceptable margin of incorrect 
responses would have to be established. 

4. Research Mcthodolofv 

4.1 Instrumentation 

To assess the ease of recall for the various password mechanisms, two nearly 
identical versions of a self-administered questionnaire - Form-1 and Form-2 - were 
developed. Using Form-1 (see Appendix A), respondents created their passwords for 
the various methods. Form-2 questionnaires were answered by the same group of 
respondents three months later and aimed at assessing their ability to recall the different 
types of passwords. The questionnaires consisted of: 

a. Demographic Items 

The first part of Form-1 asked for each respondent’s age, sex, years of computer 
usage, the types of computer which they have used (mainframe, stand-alone micro or 
micro linked to mainframe) and the last four digits of their U.S. Social Security number 
(SSN). Form-2 asked only for the SSN digits, so that each copy could be matched with 
its counterpart Form-1. The SSN digits were used to mask the identity of individual 
respondents in this study, while letting us match Forms 1 and 2 for each of respondent. 

b. Creation and Assignment of Passwords and Passphrases 

The second part of Form-1, but not Form-2, asked each respondent to construct a 
password consisting of any combination of up to eight alphanumeric characters. They 
were urged to memorize and safeguard this password as they would any other password. 
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They were then asked how they devised this password. For example, did they use a 
meaningful detail such as a name, a date or a number ? Did they use a combination of 
meaningful details ? Did they use a random choice of characters or some other 
means?. 

The second part of Form-1 contained a unique eight character password that was 
assigned to each respondent. Here the Form-1 questionnaires were split into two 
groups. Fifty-five of the Form-1 questionnaires had a system-generated random 
alphanumeric password. The other forty-eight questionnaires had a pronounceable 
system-generated password. To distinguish between the two versions of Form-1, the 
random alphanumeric form was designated Form-IR and the pronounceable password 
form was designated Form-lP. The respondents were urged to safeguard this password 
as well. 

Also included in the second part of Form-1 was a segment requesting each 
respondent to create a passphrase consisting of any combination of up to 80 
alphanumeric characters. There was no requirement as to the minimum number of 
characters or words in the passphrase. The respondents were again urged to memorize 
and safeguard this passphrase as they would any other password. Then they were asked 
how they devised this passphrase. Five choices were given: (1) nonsensical phrase; (2) 
a quotation; (3) a piece of advice; (4) a common phrase; or (5) other means. 

c. Cognitive passwords 

Both Form-1 and Form-2 are identical in their third part. It consisted of 20 open 
questions which asked for items of information that were described as cognitive 
passwords. These items were classified into two categories of responses. The first group 
contained six items of personal facts assumed to be known only by the respondent or 
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someone socially close to the respondent, for example, elementary school attended, 
mother’s maiden name or father’s occupation. The second category consisted of 14 
opinion-based items which ask the respondent to choose a favorite item, for example, 
favorite vacation place, favorite restaurant or favorite fruit. Once again, it was assumed 
that these responses would be known only by the respondent or someone socially close 
to him. 

d. Associative Passwords 

The last part of the Form-1 requested the user to come up with a list of 20 word 
associations. In formulating these 20 cues and responses, the respondents were advised 
to centralize them around a common theme but this was not set as a mandatory 
requirement. There was no limitation or minimum number of alphanumeric characters 
in either the cues or responses. 

e. Items for Recall of Passwords 

The Form-2 questionnaire was designed to assess tlie ability of the respondents to 
recall those passwords used on Form-1. It was administered to the same group three 
months after the administration of Form-1. 

Where Form-1 assigned passwords to the respondents (either random or 
pronounceable), asked each respondent to create a password, and also a passphrase, the 
later Form-2 asked them to recall those passwords. First, it asked each person to recall 
the password of his or her own making. It then asked them whether they recalled their 
password from memory or had resorted to writing it down. Secondly, the respondents 
were asked to recall the password that we assigned to them on Form-1. Next, they were 
asked to recall the passphrase they used in Form-1. They were also asked whether they 
recalled it from memory or had written it down. 
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/. Items for Recall of Cognitive Passwords 

The cognitive passwords section of the Form-2 version was identical to Form-1. 
The same respondents were asked the same questions again. In examining a system of 
passwords based upon cognitive information, the correlation between the Form-1 and 
Form-2 responses to cognitive items three months apart was of interest. 

g. Items for Recall of Associative Passwords 

In the identical Form-2 version of the word association section, the same 
respondents were asked to regenerate their list of 20 cues and responses. As soon as 
the respondent had generated as many associations from memory as possible, they were 
given a list of their original 20 cues as a memory aid. They were then asked to write 
down as many of their responses as they remembered. If, at this point, they were still 
unable to remember their responses, they were given the central theme (taken from 
their corresponding Form-1 questionnaire), if any, to aid them in correctly remembering 
their responses. 

h. Items Concerning Ranking of the Various Password Methods 

The last section of Form-2 requested the respondents to rank the various 
password methods -- user-generated passwords, system-generated pas.swords, passphrases, 
cognitive passwords and associative passwords - by two distinct characteristics: ease of 
recall and how they liked them. 

4.2 Sample and Data Collection Design 

The Form-1 questionnaire was administered to 103 graduate students, majoring in 
management information systems. The average age of the participants was 33 years, in a 
range of 25 to 42. 85% of them were male and 15% were female. They averaged five 
years of experience with computers. Twelve percent said they had no computer 
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experience before starting graduate studies. Forty-eight percent reported that they used 
some combination of microcomputer and mainframe, 32% said their computer 
experience was limited to microcomputers, while 8% claimed to have only used a 
mainframe. 

The Form-2 version of the questionnaire was administered to the same user 
respondents three months after the Form-1 administration. All of the original 103 
Form-1 respondents participated in the Form-2 administration. 

5. Findings 

5.1 Recall of Self-generated Passwords 

Of the 103 respondents, 27.2% were able to recall correctly the password they 
had created themselves three months earlier. Among the respondents who recalled their 
password, 42.9% said they remembered it without aid, 7.1% said they wrote it down 
even though they were instructed not to. 17.9% said it was the only password they ever 
used so it was easy to remember. Finally, 32.1% gave "other means" as the basis for 
recall. 



The characteristics of the self-generated passwords were examined according to 
three attributes: selection method, format and length. Table 1 shows how the 
respondents constructed their self-generated password. The majority of the respondents 
(67%) used some form of meaningful detail in creating their password. 
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Method 


Number 


Percentage 


Meaningful detail 


46 


45% 


Combination of 
meaningful details 


23 


22% 


Random characters 


1 


1% 


Other 


33 


32% 



Table 1; Methods for selecting self-generated passwords 



The format of the self-generated passwords is depicted in Table 2. As expected, 
(see [21]), the respondents mainly used alphabetics in creating their passwords. More 
interesting is the fact that 93% of the 28 respondents who recalled their password used 
alphabetics only. 



Format 


Number 


Percentage 


Alphabetic only 


76 


74% 


Alphanumeric 


24 


23% 


ASCII 


3 


3% 



Table 2: Formal of self-generated passwords 

Tlie distribution of self-generated passwords according to their length is presented 
in Table 3. Since most operating systems support a password length of up to 8 
characters, there were eight spaces on the Form-1 questionnaire. Most of the 
respondents (54%) tended to use all the spaces when making up their passwords. 
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I.^ngth fcharacters') 


Number 


Percentage 


3 


1 


1% 


4 


8 


8% 


5 


10 


10% 


6 


17 


16% 


7 


11 


11% 


8 


56 


54% 



Table 3: Length of self-generated passwords 



5.2 Recall of System-generated Passwords 

Table 4 reflects the ability of the respondents to recall either the assigned 
random alphanumeric password or the pronounceable password. As expected, more 
respondents were able to recall a pronounceable, system-generated, password than a 
random-character, system-generated, password. The increased memorability of 
pronounceable passwords is further supported in Table 5. While 83% of those 
remembering their pronounceable pas.sword claimed to recall it from unaided memory, 
no one was able to recall their random-character, system-generated password from 
memory. Moreover, 67% of the re.spondents who recalled their pronounceable pas.sword 
stated that they remembered it because it was pronounceable. 



Type of 
Password 


Number 

Assicned 


Number 

Recalled 


Percentage 


Pronounceable 


48 


18 


38% 


Random alphanumeric 


55 


7 


13% 


Total 


103 


25 


24% 



Table 4: System-generated passwords recall 



Method of recall 
Pronounceable Passwords 


Number recalled 


Percentage 


Unaided memory 


15 


83% 


Written down 


3 


17% 


Random Passwords 


Unaided memory 


0 


0% 


Written down 


7 


100% 



Table 5: Method of recall for system-generated passwords 
5.3 Recall of Passphrascs 

Of the 103 respondents, only 21.4% were able to recall the passphrase which they 
had created three months earlier. As expected, a longer string of characters, even 
though it formed an expression familiar to a respondent, made it difficult to remember. 
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There was no marked difference between the general characteristics of the passphrases 
chosen and those that were recalled. The average length of all passphrases was 23 
characters, compared to an average of 21 characters in recalled passwords. The average 
number of words in a passphrase was 5 while the number of words in recalled passwords 
averaged 4.4. compared to an average of 21 characters in recalled passwords. For those 
respondents who did remember their passphrase, 20 of 22 (91%) recalled it from 
unaided memory while only 2 (9%) had written it down. 

5.4 Recall of Cognitive Passwords 

The overall average number of correct matches by the respondents on all 
cognitive passwords between Form-1 and Form-2 was 14.8 out of 20 correct responses, 
or 74%. This average is somewhat lower than the 82% match reported in previous 
research by Zviran and Haga [21]. Figure 2 reflects this distribution. Of interest is the 
grouping of the respondents at the high end of the spectrum. While there are a few 
outliers at the low end of the spectrum, lowered the mean, 62.1% of the respondents 
had 15 or more correct responses. 



Insert Figure 2 about here 



Besides the overall match, the respondents’ performance for each individual 
question is of interest. As previously discussed, the cognitive questions were split into 
six fact-based questions and 14 opinion-based questions. The success of the respondents 
in recalling cognitive passwords over a three month period is expre.ssed in the 
percentage of correct matches that were produced on Form-2. 'Fable 6 shows that the 
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recall for the fact-based questions was high, 83.7%. Even the lowest cognitive question 
had a recall rate of 74.8%, twice the recall rate for any of the previous password 
methods. 

Percent 



Matched 

Fact-Based Item Correctly 

What is the name of the elementary 

school from which you graduated? 85% 

What is the name of your 

favorite uncle? 86% 

What is the name of your 

best friend in high school? 85% 

What is your mother’s maiden name? 93% 

What was the first name of your 

first boyfriend/girlfriend? 75% 

What is the occupation 

of your father? 79% 



Table 6: Respondents’ recall on fact-based cognitive items 

The success rate for the recall of the opinion-based questions is lower than for 
the fact-based questions. The average percentage of correct responses here was 70%. 
There was a fairly wide variance with the number of correct responses ranging from 
49.5% to 87.4%. The questions that had the lowest success rate dealt with an 
individual’s favorite restaurant, actor or actress, and choice of alternative profession. 
Two possible explanations for missing these questions are: (1) At the time of 
administration of Form-1, the respondent may have wavered between a couple of 
answers, failing to remember which one he had chosen three months earlier and 
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selecting a different answer on Form-2; and (2) these questions call for answers that may 
have changed for the respondent since the administration of Form-1. Therefore, the 
respondent may have answered the question according to his opinion at the time of the 
administration of Form-2, as opposed to responding as he did when he first answered 
the question. Table 7 presents the results of the opinion-based cognitive questions. 



Percent 

Matched 

Opinion-Based Item Correctly 

What was the name of your favorite class in high school? 78% 

What is the name of your favorite music performer or group? 80% 

What is your favorite type of music? 86% 

What is the name of your favorite vacation place? 66% 

If you could travel to any country in the world, 

which would it be? 71% 

What is the last name of your favorite actor or actress? 58% 

What is your favorite flower? 87% 

What is your favorite dessert? 66% 

What is your favorite vegetable? 75% 

What is your favorite fruit? 66% 

What is your favorite color? 75% 

If you could change occupations, which new occu|xition 

would you choose? 55% 

What is the name of your favorite restaurant? 50% 

What is the last name of your favorite college instructor? 67% 

Table 7: Respondents’ recall on opinion-based cognitive items 
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5.5 Recall of Associative Passwords 

The overall average number of correct matches by the respondents on all the 
word associations between Form-1 and Form-2 was 13.8 out of 20 (69%). The 
respondents fell anywhere in the continuum from 0 to 20 responses correct as shown in 
Figure 3. Of note is that 60 respondents (58.3%) got 14 or more matches correct. 



Insert Figure 3 about here 



As expected, when first asked to recall both their cues and responses, the 
respondents on average were able to generate only 4.1 out of the 20 (20.5%). However, 
when presented with their list of cues they were able to recall responses albeit with 
some errors. Not one respondent requested to know what their theme was. Either 
there was no theme or the list of 20 cues made them remember their theme. While it 
was expected that few would need their theme to generate responses, it w'as surprising 
that not one, including the one who got none of his responses correct, requested his 
theme to help figure out the responses. 

5.6. Ranking of the Various Methods 

As a last task, the respondents were asked to rank the various methods of user 
authentication. First, they were asked to rank the five methods based on their ease-of- 
recall. The password method perceived to be the easiest to remember was ranked T 
and the most difficult to remember passw'ords were ranked ’5’. Table 8 presents the 
users’ ranking of passwords according to their ease-of-recall. 
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Password 


Overall 


Average 


Method 


Rank 


Score 


User-generated 


1 


1.98 


Associative 


2 


2.41 


Cognitive 


3 


2.67 


Passphrases 


4 


3.45 


System-generated 


5 


4.46 



Table 8: Password ranking by ease-of-recall 



User-generated passwords were ranked first 50 times. Second was authentication 
by word association with 29 first place rankings. Third was cognitive passwords with 14 
first place rankings. Passphrases were fourth with two first places. Finally, system- 
generated passwords (no distinction was made between random or pronounceable) were 
ranked last with no one choosing it as easiest to remember. 

Next, respondents were then asked for their subjective ranking of the various 
methods according to how they liked them. The order was the same, as reflected from 
Table 9. User-generated passwords received 47 first place rankings, word association 
had 30, cognitive passwords had 16, passphrases had three, and one person liked system- 
generated passwords the best. 



Password 
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Overall 


Average 


Method 


Rank 


Score 


User-generated 


1 


1.96 


Associative 


2 


2.39 


Cognitive 


3 


2.73 


Passphrases 


4 


3.38 


System-generated 


5 


4.54 



Table 9; Password ranking by how they were liked 
6. Discussion 

Recall of Passwords and Passphroses 

Over a three month period, only 27.2% of the respondents could recall a 
password they had created themselves. Worse, only 12.7% of the respondents could 
remember their system-generated random alphanumeric password. However, 38% of 
the respondents assigned with a system-generated pronounceable password were able to 
recall it, compared to 13% for a random, alphanumeric, system-generated passwords. 
Thus, pronounceable passwords, although unrelated to a user’s lifestyle or a meaningful 
detail, seems to be more memorable to a user than a self-generated password. As for 
random, alphanumeric, system-generated passwords, not one respondent was able to 
recall such a password from memory after a three-month period. 

21.4% of the survey respondents were able to recall their passphrases. Most of 
the respondents (77.7%) chose passphrases consisting of fewer than the minimum 
recommended 30 characters [16]. Nevertheless, they still had little success in recalling 
the passphrase. 
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Recall of Cognitive Passwords 

Using sets of fact-based and opinion-based questions, the respondents recalled an 
average of 74% of their cognitive passwords after three months. Only two of these 
respondents were able to recall all 20. When the fact-based cognitive passwords were 
analyzed separately, the recall averaged over 83%. The recall performance on the 
opinion-based cognitive passwords was far lower than for the fact-based password.s, 
resulting a 74% recall on the average. 

A previous research [21] reported a better rate of recall for the same set of 
cognitive passwords. Nevertheless, the recall of the cognitive passwords in this study was 
noticeably better than for any of the previously described password alternatives. Overall, 
the findings support the notion that the ease of recall of cognitive passwords is superior 
to that of traditional passwords [21]. 

Recall of Associative Passwords 

After three months, the respondents recalled, on average, 69% of their associative 
passwords. Seven of the respondents remembered all 20 responses and almost a third 
could recall 90% or more of their responses. While there was success at the high end of 
the spectrum, there was a fairly uniform distribution of respondents remembering from 
30% to 90%. An explanation for this distribution is that the respondents were given 
free reign in making up their word associations. Unlike the cognitive password section, 
in which all the respondents answered the same set of questions, the word associations 
had various degrees of difficulty depending upon how challenging each respondent 
decided to make them. 

Even with this wide variance, the average success rate was over twice as that of 
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the traditional user-generated password method. In comparison with the overall success 
rate of cognitive passwords, the recall of associative passwords was somewhat less (69% 
compared to 74%). However, there were almost twice as many respondents (30 versus 
17) scoring 90% or more correct responses on the word associations than on the 
cognitive passwords. 

Smith’s research [17] used a smaller sample size and showed that after six months 
the four respondents in his survey group could recall 94% of their word associations 
[17]. This is considerably higher than the 69% success rate after three months from this 
survey group. The difference in sizes of the two groups probably accounts for the 
difference in success rate. Smith concluded that authentication by word association 
seemed promising for finding a better method for user authentication. The results of 
this study support his conclusion. 

Ranking of the Various Methods 

When asked to rank the various methods as to how easy they were to remember, 
the respondents clearly chose user-generated passwords as the one that they thought was 
easiest. However, this method was one of the worst for recall by the respondents. 

Other than this, the rankings generally reflect how the respondents actually did in 
recalling their "passwords" from the different metliods. 

When the respondents ranked the methods by how they liked them, those that 
were user-oriented were ranked highest. Of interest is the fact that there was little 
difference between the two rankings. This shows that the respondents may have 
interpreted that how they liked a certain method meant that it was easy to remember. 
This would explain why the respondents chose user-generated passwords as easiest to 
remember when in reality they were not. 
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7. Conclusion 

While primary passwords mechanisms, serving as a basic authentication 
mechanism in most operating systems, are determined by the operating systems’ 
manufacturers, the selection of a password mechanism to be employed for secondary 
passwords is determined by the designers of the specific applications. The underlying 
question in this selection process is which of the various password mechanisms is the 
most suitable for this purpose. 

Several user authentication mechanisms were examined in this study, resulting 
two ratings. When user ability to recall the different types of passwords is examined, 
pronounceable passwords, cognitive password and associative password proved to be 
much better than passphrases, random system-generated passwords, or even user- 
selected passwords. The respondents subjective Judging of the password mechanisms, 
both for ease-of-remembrance and how they liked it, ranked traditional passwords first, 
followed by the two handshaking mechanisms (cognitive and associative passwords) and 
then the others. A third rating focuses on ease of guessing or brute-forcing. Previous 
research [2, 3, 4, 13, 14, 21] suggests that this characteristic depends on the password 
length, the character set from which it was drawn and frequency of changing the 
password. Based on these characteristics, cognitive and associative passwords are ranked 
first, followed by passphrases, system generated passwords and traditional passwords 
being last. 

When deciding on a particular password mechanism to be employed as for 
secondary passwords, two major considerations need to be taken in account; the desired 
security level of the application policy and user convenience of logging-in (easc-of-use). 

If an organization desires just to upgrade its traditional password system, without making 
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radical changes, then eight-character pronounceable passwords, usually consisting of one 
word, are be used. These passwords, either user-selected or system-generated were 
proven easiest to remember. One pitfall they have is that users dislike system-generated 
passwords; so by allowing the users to choose them, this password method should be 
more desirable to the user. Pronounceable passwords also offer a high degree of 
security as they are a mix of alphanumeric characters that do not form an actual word or 
phrase [3, 13]. 

If an organization desires to extend its present user authentication method to 
make it the best possible, then authentication by cognitive or associative passwords 
should be selected. These two mechanisms have shown to be the easiest to remember 
of the various methods discussed here. Yet, previous research [17, 21] demonstrated 
their high level of security, difficulty of guessing and applicability. Moreover, users 
ranked them second and third as both easiest to remember and the one they liked. 

Both authentication by word association and cognitive passwords provide better 
security than traditional password systems [17, 21]. They proved to be user-friendly and 
offer ease of memorability. Thus, these two mechanisms seem to be the most 
appropriate for implementation at a secondar)' authentication level. The 
implementation experience reported by Haga and Zviran [21] lends further 
support to the applicability of handshaking techniques for this purpose. 

Two avenues for future research are proposed. First, a comparative evaluation is 
needed to further explore the ease-of-use and the ease of-guessing of cognitive and 
associative passwords. Second, real-life experience with these mechanisms, providing 
additional evidence for their feasibility and applicability is also required. 
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Annendix A 



Form-1 Questionnaire 



PART A: PERSONAL INFORMATION 

Please answer the following questions: 

Sex (Circle one): Male Female 

Last 4 digits of your SSN 

Number of years of computer usage: 

Type of computer(s) you have used prior to NPS (check any that apply): 

Microcomputer 

Microcomputer linked to a mainframe 

Mainframe terminal 



PART B: PASSWORDS AND PASSPHRASES 

For the purpose of this survey anytime you are requested to memorize something 
do not write it down. This is for all parts of this survey - passwords, passphrases, 
cognitive passwords and word association. 

1. Please create and write in the boxes below a password, up to 8 alphanumeric 

characters. Please memorize and safeguard it as you normally do your passwords. 

As with other parts of this survey, you will later be asked to recall what you have 
been requested to memorize. 



2, How did you choose the password above? (Circle one) 

A. A meaningful detail (name, date, number, etc.) 

B. A combination of meaningful details (JIM 1989, etc.) 

C. A randomly chosen combination of characters 

D. Other (please specify) 

3. The following password has been assigned to you for this study. Please memorize 
and safeguard it as you would any other password. This password is 
pronounceable, which may help you remember it. For instance, UN41’UNE8 
would be unfortunate. 
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4. A passphrase is a string of up to 80 alphanumeric characters. Theoretically, it is 
more secure than a normal password since it is unlikely that someone will guess 
it. The passphrase can be silly like "Susie sells seashells by the seashore," or it 
can be a quotation or a common phrase. Please construct a passphrase of your 
choice in the space below. Please memorize it and safeguard it as you would any 
other password. 



5. How did you choose your passphrase above? (Circle one) 

A. Nonsensical phrase that I can remember 

B. A quotation 

C. A piece of advice 

D. A common phrase 

E. Other (please specify) 



PART C: COGNITIVE PASSWORDS 



Cognitive passwords suggest the use of fact, interest and opinion-based cognitive 
data, that are known only to the user as an authentication mechanism. Please answer 
the following questions using a maximum of 20 characters. 

1. What is the name of the elementary school from which you 

graduated? 

2. What is the first name of your favorite uncle? 

3. What is the first name of your best friend in high school? 



4. What is your mother’s maiden name? 

5. What was the first name of your first boyfriend/girlfriend? 



6. What was the name of your favorite class in high school? 

7. What is the name of your favorite music performer or 
group? 

8. What is your favorite type of music? 

9. What is the name of your favorite vacation place? 

10. If you could travel to any country in the world, which would 
it be? 



11. What is the last name of your favorite actor or 
actress? 

12. What is your favorite flower? 

13. What is your favorite dessert? 

14. What is your favorite vegetable? 

15. What is your favorite fruit? 

16. What is your favorite color? 

17. If you could change occupations, which new occupation 
would you choose? 

18. What is the name of your favorite restaurant? 

19. What is the occupation of your father? 

20. What is the last name of your favorite college 
instructor? 



PART D: WORD ASSOCIATION 

Another form of access control is a challenge-and-response query after a user has 
logged on. When the user correctly responds to the queries, the system ensures that it is 
the authorized user who has logged on. One such method is a series of word 
associations. Each user creates 20 word associations peculiar to him. For instance a 
user could decide to set up a table composed of queries that remind him of musical 
artists. The partial table is listed; 



QUERY 

Virgin 



RESPONSE 

Madonna 

Beethoven 



Deaf 

Eliminator 

Glasses 

Lips 



ZZTop 



Elton_John 

Mick_Jagger 



So, after initial logon, the system would query: Glasses? 
The authentic user would then respond; Elton_John 
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1. Now construct a set of word associations for yourself. Please list 20 associations. 
While it is helpful for memory purposes to use one theme throughout it is not 
mandatory. Here are some other suggestions for possible themes: comic strips, 
authors, TV shows, movies, family members. 

QUERY RESPONSE 

1 . 

2. 

3. 

4. 

5. 

6 . 

7. 

8. 

9. 

10. 

11. 

12. 

13. 

14. 

15. 

16. 

17. 

18. 

19. 

20. 



Theme(if any) 



Thank you for your cooperation ! 
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Figure 1: A multilevel security environment 
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Figure 2: Distribution of respondents recall of cognitive items 
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Figure 3: Distribution of respondents recall of word associations 
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